Can AI Spot a Fake Face? How ChatGPT Detects Face Morphing Attacks Without Training

Introduction

Imagine a world where a cleverly altered passport photo could allow two individuals to share the same identity and bypass border security without raising suspicion. Sounds like something out of a spy thriller, right? Unfortunately, it’s a real security threat known as face morphing attacks. These attacks involve blending two faces into one to create a passport photo that matches both individuals, potentially fooling face recognition systems (FRS).

With growing concerns about identity fraud, researchers have been working on methods to detect morphing attacks (MAD). However, most current solutions rely on machine learning techniques that require extensive training on large datasets—which isn’t always practical. Enter an exciting new approach: zero-shot learning (ZS) powered by Large Language Models (LLMs) like ChatGPT.

In an innovative study, researchers explored whether ChatGPT (powered by GPT-4 Turbo) could detect face morphing attacks without prior training. Their findings suggest that AI can indeed spot fake faces—and even explain its reasoning in human-like language! This blog post breaks down how it all works and why it could be a game-changer for security applications.

Understanding Face Morphing Attacks

What Is a Face Morphing Attack?

A face morphing attack occurs when two different individuals’ facial features are blended into a single image using sophisticated image-editing techniques. If done correctly, the final image retains enough resemblance to both people that face recognition software might falsely match it to either person.

This can be especially dangerous in scenarios like:

• Passport applications – If a criminal and their accomplice submit a morphed passport photo, both can use the same passport to travel.
• Automated border crossings – Some AI-powered border control systems rely solely on facial recognition rather than human validation.

These attacks are hard to detect with the naked eye, especially when advanced morphing techniques are used.

The Challenges of Detecting Morphing Attacks

Detecting morph images is a tricky task because:

1. Lack of Reference Images – Most morph detection techniques compare a submitted photo to another trusted image (Differential Morphing Attack Detection, or D-MAD). But in real-world scenarios like passport applications, there’s often only one image available, making Single-Image Morphing Attack Detection (S-MAD) much harder.
2. Variability in Morphing Techniques – Morph images can be created using different methods, some leaving clear traces while others look remarkably realistic.
3. Limited Datasets – Creating diverse and high-quality face morphing datasets is difficult, limiting the training of existing AI models.
4. Lack of Explainability – Even when deep learning models make correct predictions, they often cannot explain how or why they reached a conclusion—making it hard to trust the system in high-stakes scenarios like border security.

This brings us to the study’s main question: Can ChatGPT detect face morphing attacks in a zero-shot setting, meaning without any prior training on morphed images?

ChatGPT’s Deep Dive into Morphing Attack Detection

The researchers devised two different zero-shot MAD methods:

1. Using Pre-Trained Vision Models – These models (like ResNet34 and VGG16) were trained for general image classification and tested to see if they could differentiate real vs. morphed faces based on how “far” their embeddings were from known real images.
2. Leveraging GPT-4 Turbo – Instead of relying on traditional computer vision, researchers designed carefully crafted text prompts to guide ChatGPT through the morphing detection task.

How Did ChatGPT Analyze Images?

Since ChatGPT isn’t explicitly trained on morphing attack detection, the researchers prompted it using step-by-step reasoning techniques (known as Chain-of-Thought prompting). They tested multiple prompts to see which worked best, including:

• Binary classification prompts – “Is this a morphing attack? Answer yes or no.”
• Probability-based prompts – “What is the likelihood this image is a morphing attack (0-100%)?”
• Artifact detection prompts – “Describe any signs of morphing in this image.”

Some prompts led to biased results, meaning ChatGPT was too cautious and labeled too many legitimate images as “morphs.” However, prompts that asked for probability scores or artifact-based explanations led to more balanced and reliable outputs.

Experimental Findings: How Well Did ChatGPT Perform?

To test how well ChatGPT and vision models performed, the researchers created a dataset of print-scanned morphed images using three advanced morphing techniques:

1. Landmark-based morphing (LMA-UBO)
2. GAN-generated morphs (MIPGAN-II)
3. Diffusion-based morphs (Morph-PIPE)

Key Performance Metrics

The study compared error rates (wrong classifications) and detection accuracy using standard metrics like:

• Morphing Attack Classification Error Rate (MACER) – Percentage of fake images incorrectly identified as real.
• Bona Fide Classification Error Rate (BPCER) – Percentage of real images wrongly labeled as attacks.
• Equal Error Rate (EER) – The point where MACER and BPCER are equal, giving an overall detection measure.

Top Findings:

• The best-performing prompt (Prompt 5: probability-based questioning) resulted in better detection accuracy than most vision models.
• ChatGPT was particularly strong at identifying Morph-PIPE attacks, likely because this method creates distinct artifacts.
• Some morphing techniques, like MIPGAN-II (which uses AI-generated faces), were harder for ChatGPT to distinguish from real faces.
• Using a multi-round fusion strategy (combining outputs from multiple tests) improved ChatGPT’s consistency.

Explainability: A Major Advantage of LLMs

One of the biggest benefits of using ChatGPT for MAD is its ability to explain its reasoning in natural language.

Unlike traditional machine learning models, which output a simple “yes” or “no,” ChatGPT provided descriptive insights:

• “I detect artifacts in the eye region and inconsistent skin texture.”
• “This image has lighting inconsistencies that suggest possible morphing.”

This means ChatGPT could help human operators understand why an image was flagged, making it more useful in real-world applications.

What This Means for the Future of AI-Powered Security

The study shows that even without explicit training in detecting face morphs, LLMs can help spot digital forgeries in a human-like way. This approach could:

• Enhance border security by providing a secondary validation tool for automated checkpoints.
• Improve fraud detection in digital identity verification processes.
• Reduce reliance on massive labeled datasets, making AI detection more scalable.

However, ChatGPT isn’t perfect. The study found it can be unpredictable (non-deterministic) at times, meaning two runs on the same image might not always yield the same result. Future research could refine these methods with fine-tuning, advanced prompt design, or hybrid AI-human verification systems.

Key Takeaways

• Face morphing attacks pose serious security risks by allowing identity fraud in passport and access control systems.
• ChatGPT (GPT-4 Turbo) was tested on detecting morphing attacks without prior training (zero-shot learning).
• Using step-by-step prompts, GPT-4 Turbo was able to identify morphs with surprising accuracy—especially with probability and artifact-based prompts.
• Compared to traditional vision models, ChatGPT demonstrated strong generalization and unique explainability.
• Despite some limitations (occasional inconsistency), this study highlights the potential of LLMs in AI-powered security tasks.

Final Thought

Will AI-powered security checks become the norm at airports and identity verification systems? Possibly. While models like ChatGPT aren’t foolproof, studies like this one push the boundaries of what AI can do, showing that zero-shot learning approaches might be a viable solution for future security concerns.

As AI improves, one thing is certain: Fraud detection is no longer just about training machines—it’s also about teaching them to “reason” like humans. 🔍💡

If you are looking to improve your prompting skills and haven’t already, check out our free Advanced Prompt Engineering course.

This blog post is based on the research article “ChatGPT Encounters Morphing Attack Detection: Zero-Shot MAD with Multi-Modal Large Language Models and General Vision Models” by Authors: Haoyu Zhang, Raghavendra Ramachandra, Kiran Raja, Christoph Busch. You can find the original article here.